Post Ideas: Depuracion, Analisis de Ejecutables e ingenieria inversa

[jmgomez-IAA]

Uso avanzado de Hexdump

[jmgomez-IAA]

Construir herramientas para hacer ingnieria inversa empleando python

• Python para Reverse Engineering

[jmgomez-IAA]

• Part 1: Understanding the Glibc Heap Implementation

[jmgomez-IAA]

Logic Analyzer

Bus Pirate

• Dangerous Minds Bus Pirate as Logic Analyzer
• Bus Pirate as Logic Analyzer

[jmgomez-IAA]

Sniff Data

Serial port UART device

socat allows us to create an man-in-the-middle attack to the UART ttyUSB traffic.

socat -d -d pty,link=/dev/ttyUSB0,raw,echo=0,b115200 pty,raw,echo=0,b115200 Option -d -d , selets the debugging level. The type is 'pty', pseudo serial port. We need a ‘raw port’, one which sends only the exact character.

We are ussing 3 shells:

Create a virtual serial port, which should forward commands to a file. In the our case the ftdi creates 2 devices: $]# ls /dev/ttyU*

/dev/ttyUSB0 /dev/ttyUSB1

The /dev/ttyUSB1 device is the one in use. So let's create a virtual port and associate (tunnel) to dev/ttyUSB1 using socat.

Shell1 $]# sudo socat /dev/ttyUSB1,raw,echo=0 SYSTEM:'tee uart_input.bin | socat - "PTY,link=/dev/ttyUSB2,raw,echo=0,waitslave" | tee uart_output.bin'

Device /dev/ttyUSB2 should be created if socat success.

      grmon > batch sample_script_with_commands.tcl
      grmon > quit

Now the transmited data from the shell2 to /dev/ttyUSB2 is stored (in binary) in the file uart_output.bin. And the received data to the /dev/ttyUSB1 is stored in (uart_input.bin).

$]# xdd <uart_output.bin
$]# xdd <uart_input.bin

USB ftdi device

wireshark intercept data from usbmon.

Installation

$]# sudo yum install wireshark-gnome wireshark

Procedure

Capture the ftdi traffic $]# lsusb

Bus 002 Device 002: ID 8087:8002 Intel Corp. Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 001 Device 002: ID 8087:800a Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 004 Device 002: ID 17aa:1034
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 003: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller Bus 003 Device 002: ID 17aa:1034 Bus 003 Device 017: ID 0403:6010 Future Technology Devices International, Ltd FT2232C/D/H Dual UART/FIFO IC

Among others there is an Ltd FT2232C/D/H Dual UART/FIFO with Device ID 0403. That is our FTDI converter. It is located on USB Bus 0003, so Wireshark should intercept traffic on usbmon3. We have to load usbmon kernel module for sniffing the FTDI Lets create a filter to receive only data of our interest: usb.device_address == 17

Links

Monitoring (Sniffing) /dev/ttyUSB0 created by FTDI USB Serial Converter Capturing USB Serial data using wireshark Building Wireshark 2.4.0 for CentOS 7

[jmgomez-IAA]

USB

Reiniciar cadena USB

echo -n "0000:08:00.0" | tee /sys/bus/pci/drivers/xhci_hcd/unbind

udit-d46:/homecho -n "0000:08:00.0" | tee /sys/bus/pci/drivers/xhci_hcd/bind